News

|

National Security

Medibank hack crisis escalates

October 26, 2022

Ayesha de Kretser and Paul Smith
The Australian Financial Review
Wednesday 26 October 2022

The Medibank hack has developed into a crisis in the same league as the COVID-19 pandemic, Minister for cybersecurity Clare O’Neil told parliament on Tuesday, saying the “smartest and toughest” people in government would take charge of the response after criminals stepped up their demands and the scope of the crisis widened.

Australia’s biggest health insurer was forced to do yet another embarrassing backflip, revealing the extortionists have data from customers of its core Medibank brand health insurance.

“Unfortunately, it is now clear that the criminal has taken data that belongs to Medibank customers, in addition to that of (discount brand) AHM and international student customers,” Medibank chief executive David Koczkar wrote to customers of its flagship brand on Tuesday. Medibank has a total of 3.8 million customers across its businesses.

Medibank admitted it had been sent another 1000 customers’ details on top of an initial 100 files shared last week, prompting pledges from Ms O’Neil to help customers cope with the fallout if their private health records were made public.

“We are putting in place substantial support measures for Australians should the worst come to worst and some of this information be made public,” Ms O’Neil told parliament, in the first hint that the government would rather help Medibank manage the fallout than let it pay the criminals a ransom.

Ms O’Neil said the government has elevated the standing of Medibank’s data breach crisis to levels only previously seen in the height of the COVID-19 pandemic and natural disasters, invoking the National Coordination Mechanism to bring together agencies of the federal government with those of the states and territories. The NCM was established by the Home Affairs ministry in the wake of the pandemic, and is ultimately headed by the prime minister.

At the same time Medibank told customers it would provide individual “financial support for customers who are in a uniquely vulnerable position as a result of this crime” and reimburse fees for reissuing identity documents “that have been fully compromised in this crime.”

The about-face comes nearly two weeks after Medibank first downplayed the severity of a major attack, telling Ms O’Neil no data had been taken within 48 hours of the incident that occurred on October 12. Its shares have been suspended since Friday after two earlier trading halts.

Opposition cybersecurity spokesman senator James Paterson said it “appears [the claim] was accepted at face value and it wasn’t interrogated”.

Mr Paterson called on the government to explain why it waited more than a week to embed the Australian Federal Police and Australian Signals Directorate within Medibank, given the sensitivity of the health data involved.

“They should have treated this like everything had been stolen on day one,” Mr Paterson said.

“The key failing in my view, there was always the potential for this to be more serious. We knew at the beginning that it involved a compromised credential.”

Ms O’Neil fronted media in Melbourne last Thursday saying the government was sending the AFP and ASD into Medibank’s offices to work on the frontline.

But she did not say why the government hadn’t considered treating the matter more seriously from day one and why it had accepted Medibank’s claims that nothing was taken, even though the company told the market it was still investigating to rule out data being taken.

“Every day lost worsens the damage done. Medibank victims have every right to know what steps the Albanese government took, and when,” Mr Paterson said.

He said the government should release a clear timeline of the actions they took following the initial disclosure on October 13.

Ms O’Neil said that on Saturday she had activated the national coordination mechanism set up by the Morrison government during the height of COVID-19 to help coordinate emergency response.

This measure, which is under the remit of the Home Affairs Department, means representatives of all relevant agencies of the Australian Government, state and territory governments, industry representatives and Medibank insiders are brought together for meetings to ensure everyone knows what each other needs, and what has to be done next.

The first meeting was convened virtually on Sunday, and the group has met a further two times since. Those involved from the government side included Services Australia, the Department of Health, The Australian Signals Directorate and the Australian Cyber Security Centre.

Medibank is expected to exit a voluntary trading suspension on Wednesday, with analysts confident the issue will not be material to its share price. The suspension has been in place since Friday, when it revealed 100 customers’ data had been taken.

It still hasn’t confirmed if credit card details for its 3.8 million customers have been taken.

Until Tuesday, Medibank had continued to claim only servers housing its cheaper brand AHM and international student policies had been hit, with the government defending its disclosures.

While Medibank has not confirmed a ransom demand, The Sydney Morning Herald, which was sent the ransom note, said there was a threat to sell 200 gigabytes of stolen data unless the insurer paid up. The criminals also said they would first target 1000 high-profile Australians with their own data as a warning.

Medibank first said it had detected “unusual activity” on its AHM and international student business network and taken steps to contain the issue on October 12.

A stolen, sold or hacked password, otherwise known as a compromised credential, is believed to have helped the criminals to access Medibank data.

On Wednesday Attorney-General Mark Dreyfus is expected to introduce legislation to increase the maximum penalty for serious or repeated breaches of privacy laws from $2.2 million to the greater of $50 million; three times any benefit obtained from the misuse of data; or 30 per cent of adjusted revenue in the relevant period.

That means a company with revenue of $1 billion in the 12 months before a data breach could face a fine of up to $300 million, in a move designed to “incentivise better behaviour”.

But experts said big fines would do little to actually protect the public from the types of high-profile breaches that have hit Medibank and telco giant Optus in recent weeks, given the maximum fines are only levied against examples of egregious or negligent breaches.

The Morrison government commenced a review of the Privacy Act that was never completed, with Mr Dreyfus pledging as one of his early tasks to push through a comprehensive review.

The review should be handed to the attorney-general before the end of the year and is expected to help strengthen Australia’s cybersecurity defences and also ensure companies are not holding onto data for any longer than strictly necessary.

Former Medibank, AHM and international student policyholders have been contacted, with the insurer saying it is required to retain health information for seven years for adults and up to 25 years for children.

Recent News

All Posts